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Abstract 

Let -E/Q be an elliptic curve with a fixed modular parametrization ■ ^oi^) ~^ E 
and let Pi, . . . , S -E'(Q) be Heegner points attached to the rings of integers of distinct 
quadratic imaginary field A;i, . . . ^k^. We prove that if the odd parts of the class numbers 
of . . . , kr are larger than a constant C = C{E, ^e) depending only on E and ^e, then 
the points Pi, . . . , Pr are independent in E{Q)/ Etors- We also discuss a possible application 
to the elliptic curve discrete logarithm problem. 

Introduction 

The theory of Heegner points provides a fundamental method for creating algebraic points on mod- 
ular curves and on the elliptic curves that they parametrize. The work of Wiles et.al. |BCDT0T1 
l('DT99| ITW95| IWil95j says that every elliptic curve E/Q of conductor N admits a modular 
parametrization ^e '■ ^o{^) ~^ E, so in particular there is a theory of Heegner points on el- 
liptic curves defined over Q. Heegner points appear prominently in the work of Gross, Kohnen, 
and Zagier |GKZ87l IGZ86j on the Birch-Swinnerton-Dyer conjecture and in the work of Kolyva- 
gin |Kol88a[ IKol88bj on Mordell-Weil ranks and Shafarevich-Tate finiteness. (A nice survey of this 
material may be found in |Darn4j .) 

Of particular importance in the work of Kolyvagin and others is the construction of Euler 
systems of Heegner points. (See ^CqIBOJ for a general formulation.) These are collections of Heegner 
points {Pn) defined over a tower of ring class fields lying over a single quadratic imaginary field and 
satisfying various trace and Galois compatibility conditions. In this paper we consider the orthogonal 
problem of collections of Heegner points {Pn) defined over class fields of different quadratic imaginary 
fields. 

Our main theorem says that under a fairly mild class number condition, such a set of Heegner 
points on E corresponding to distinct quadratic imaginary fields has maximal rank in i?(Q)/£'tors- 
We briefly state the result here and refer the reader to Sections ^ and [21 for definitions and to 
Section El for a more precise statement. 

Theorem 1. Let E/Q be an elliptic curve (with a given modular parametrization). There is a 
constant C = C{E) so that the following is true. 

Let ki, . . . ,kr be distinct quadratic imaginary fields whose class numbers satisfy 

h{ki)°'^'^ for aii 1 ^ i ^ r, 

where h°'^'^ denotes the odd part of the integer h. Let Pi, . . . ,Pj. € -E'(Q) be Heegner points associated 
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to {the ring of integers of) ki, . . . ,kr, respectively. Then 

Pi, . . . ,Pr are independent in E{Q)/E^ 



'tors • 



Remark 2. Theorem ^ is possibly not surprising, and indeed the statement may be true with no (or 
a much weaker) class number hypothesis. On the other hand, since the compositum of the quadratic 
imaginary fields ki, . . . ,kr may have degree as small as r, as opposed to the maximal value of 2^ , 
there seems no obvious reason why the associated Heegner points must be completely independent. 
Thus elementary considerations might lead to an estimate of the form 



but the proof of the stronger statement given in Theorem ^ requires a blend of class field theory, 
Galois theory, linear algebra (over Z/nZ), and Serre's theorem on the image of Galois in Aut(-Etors)- 

Remark 3. Other authors have considered the behavior of Heegner points associated to different 
quadratic imaginary fields. In particular, we mention the fundamental work of Gross, Kohnen and 
Zagier |GKZ87j . In the notation of Theorem^ the Heegner point Pi £ E(Q) is defined over the 
Hilbert class field Ki of ki. We can obtain points defined over Q by taking the trace. 



Gross, Kohnen, and Zagier [op.cit.] compute the canonical height pairing {Qi,Qj) of these points 
and prove that Qi, . . . ,Qr generate a subgroup of E{Q) of rank at most 1. More precisely, they 
show that 



This is in accordance with the predictions of the Birch-Swinnerton-Dyer conjecture. 

Aside from its intrinsic interest, the independence result of Theorem^ has a (negative) appli- 
cation to the elliptic curve discrete logarithm problem (ECDLP). If the theorem were false and 
Heegner points had a tendency to be dependent, then potentially there would be an algorithm to 
solve the ECDLP on elliptic curves with small coefficients by using Deuring lifts and Heegner points. 
We briefly sketch the idea in Section IHl and refer the reader to |RSj for a more detailed description. 

Finally, in Section [TUl we make some brief remaraks and raise a question concerning the distri- 
bution of quadratic imaginary fields whose class numbers have bounded odd parts. 
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In this section we briefly review the theory of Heegner points on the modular curve Xq{N) and 
in the next section we discuss Heegner points on elliptic curves. We refer the reader to |Darn4| 
§§3.1,3,3] and |Gro84j for further details. 

Recall that the noncuspidal points of the modular curve Xq{N) classify isomorphism classes of 
triples {A, A' , (/>) consisting of two elliptic curves A and A' and an isogeny <j) : A ^ A' whose kernel 
is cyclic of order A^. Heegner points are associated to orders in quadratic imaginary fields, so we 
set 




Qi = TraceKjQiPi) G ^(Q). 




1. Heegner points on Xo{N) 



k/Q 



a quadratic imaginary field 
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Ok the ring of integers of k, 
O an order in O^. 

Every order has the form O = 'L + cOk for a unique integer c ^ 1 called the conductor of O. The 
discriminant of O is given by 

Disc(C') = Disc(C'fc), where = {Ok : O). 

In order to describe the Heegner points on Xq, we follow that notation used in |Dar04j and 
define: 

Pic(C) the Picard group (or class group) of O, defined to be the group of isomorphism 
classes of rank 1 projective O-modules. If O = Ok, then Pic(O) is the usual 
ideal class group of Ok- 
E11^^-*(C') the set of isomorphism classes of triples (j4, A', i;^) such that A and A! are elliptic 
curves satisfying 

End(^) ^ End(A') ^ O 

and (/> : ^ — > ^' is an isogeny with ker((/i) = "L/NTj. 

CM.^^\0) the set of points in the noncuspidal part of Xq{N) corresponding to the 
triples {A,A,(^) in Ell(^)(0). 

Definition. We will generally identify without further comment the two sets 

EliW(O) < — > CM(^)(0). 
The points in either set are called Heegner points of Xq{N). 

It is clearly important to determine conditions on O that ensure that there exist nontrivial 
Heegner points. 

Proposition 4. Assume that the discriminant of O is prime to N. Then the set Ell(^)(C') is 
nonempty if and only if every prime dividing N is split in k. 

Proof. See jDar04l Proposition 3.8], or see |Gro841 §3] for a stronger statement in which it is only 
required that N be relatively prime to the conductor of O.. □ 

Definition. We say that O satisfies the Heegner condition for N if the following two conditions 
are satisfied: 

(1) gcd(Disc(C),A^) = 1. 

(2) Every prime dividing N is split in k. 

We say that k satisfies the Heegner condition for N if its ring of integers satisfies the condition. 

Let O be an order in k. Class field theory associates to O a finite abelian extension Ko/k, 
called the ring class field of k attached to O. The extension Ko/k is unramified outside the primes 
dividing the conductor of O, and the Artin reciprocity map gives an isomorphism 

( • , Ko/k) : Pic(O) ^ G?x\{Ko/k). (1) 

In particular, if p G Pic(O) corresponds to a prime ideal of k that does not divide Disc(O), 
then (p, Ko/k) is the inverse of the Frobenius element at p. 

Theorem 5. Let O he an order in k that satisfies the Heegner condition for N. 

(a) The points in CM^^) (O) are defined over Ko, i.e., 

CM(^)(0) cXo{N){Ko). 
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(b) The points of E\l^^\0) are in one-to-one correspondence with the set of pairs 

{(n, a) : a G Pic(C'), n is a proper O-ideal, O/n ^ Z/NZ}. 
The correspondence is given exphcitly by associating to a pair (n, a) the cycUc N-isogeny 

(c) There is a natural action of Pic{0) on Ell(^)(C') {and thus also on CM^^\0)) which we 
denote by -k. In terms of pairs (n, o), it is given by the formula 

b -k (n, a) = (n, ob). 

(d) The -k-action is compatible with the action of Galois via the reciprocity map in the sense 
that 

y(b,Ko/k) = i,~^^y for all y E CM(^)(0). 

Proof. See |Darn41 Chapter 3] or |(4ro84j . □ 

For our purposes, the importance of TheoremElis that it allows us to conclude that every point 
m generates a large extension of A;, as in the following result. 

Corollary 6. Let O be an order in k that satishes the Heegner condition for N and let y G 
CM^^\0). Then 

k{y) = Ko. 

Proof. We know from Theorem |S{ a) that y is defined over Kq. Further, if we identify y with a 
pair (n, o) as in Theorem [S{b), then (c) and (d) tell us that the full set of Galois conjugates of y is 
given by 

{y" -.ae Gsl{Ko/k)] = {b*y : b G Pic(C')} 

= {(n,ab-i) : b G Pic(O)} 
= {(n,b) : b G Pic(O)} 

The points (n, b) are distinct for distinct b G Pic(C'), so we see that 

[Ko : A;] ^ [k{y) : k] = : a G G?A{Ko/k)] ^ #Pic(0). (2) 

Class field theory tells us that #Pic(C') = [Kq ■ k]. Hence all of the inequalities in are 
equalities, which proves that k{y) = Kq. □ 



2. Heegner points on elliptic curves 

Let -E/Q be an elliptic curve of conductor N . The theorem of Wiles et.al. |B('DTOT| 
IWil95j says that there exists a modular parametrization 

: Xq{N) E. 

The map ■ Xq{N) E is a finite covering defined over Q. 

Definition. Let A; be a quadratic imaginary field and let O be an order in k that satisfies the 
Heegner condition for N. The set of Heegner points of E (associated to O) is the set 

{$s(y):yGCM(^)(0)}. 

The action of Pic(C') and Gal{KQ/K) on CM^^\0) as described in Theorem |21 translates 
directly into analogous actions on Heegner points on E, see DarOil Theorems 3.6, 3.7]. All that we 
will require is the following elementary consequence. 



4 



On the independence of Heegner points 



Proposition 7. Let O be an order in k that satsiBes the Heegner condition for N, let y G 
CM^^\0), and let Py = ^Eiu) be the associated Heegner point. Then 

[Ko ■■ k] 



[k{Py) : k] 



Proof. To ease notation, let 

d = deg<^E, n=[Ko:k\, m = [k{Py) : k\ . 

From Corollary ini we know that k{y) = [Kq : k],so y has exactly n Galois conjugates, say yi, . . . , 
Further, Galois acts transitively on the collection of points 7/1, . . . , y„, so it acts transitively on their 
images ^e{vi)-, ^e{V2)-, ■ ■ ■ , ^EiVn)- Since is at most d-to-1, it follows that has at least n/d 
distinct conjugates, and hence that n/d. □ 

The ring class field Kq is an abelian extension of k. It is not abelian extension of Q, but it is a 
Galois extension, and there is an exact sequence 

1 — > Gal{Ko/k) — > Gal(E:o/Q) — > Gal(A;/Q) — > 1. 

The elements in Gal{KQ /Q) with nontrivial image in Gal(/c/Q) are called reflections. The structure 
of Ga\.{Ko /Q) and its action on Heegner points is described in the following proposition. 

Proposition 8. Let O be an order in the quadratic imaginary held k, let Ko be the associated 
ring class held, and let p £ Gal{Ko/Q.) be a reEection. 

(a) The extension Kq /Q is Galois with group equal to a generalized dihedral group. More pre- 
cisely, 

pa = a~^p. for all a G Gal{Ko /k). 

(b) Let w{E/Q) be the sign of the functional equation ofE/Q, let y G CM^^\0), and let Pr = 
$£;(r) be the associated Heegner point on E. Then there exists a a G Gal{KQ/k), depending 
on Py and p, so that 

PP = -w{E/q)P^ (mod E{Ko)tors). 
Proof. See |l)a,rn4[ Proposition 3.11] or [(iroMj . □ 



3. A linear algebra estimate 

The intuition behind the following proposition is that a large subgroup of GL2(Z/nZ) cannot act 
in an abelian fashion on a large subgroup of (Z/nZ)^. The key for our application is to quantify 
this statement in such a way that it is uniform with respect to n. 

Proposition 9. Suppose that the following quantities are given: 

n a positive integer. 
V a free Z/nZ module of rank 2. 
r a subgroup of Aut{V) ^ GL2(Z/nZ). 
W a T-invariant Z / nZ-submodule ofV, i.e., TW = W. 

Let 

/(T) = (Aut(y) : r) = the index ofT in Aut{V). 

Suppose that the action ofT on W is abelian in the sense that T\]y is an abelian subgroup ofAut{W). 
Then 

\w\^m\ (3) 
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Remark 10. For our purposes it suffices to know that \W\ is bounded in terms of I{T), independent 
of n, but it is an interesting question to ask to what extent the inequality (jS)) might be improved. 
A more elaborate argument (which we omit) gives exponent 2, and one might hope for an estimate 
of the form \W\ <^ /(r)^^*^. However, the following example shows that an exponent of at least | is 
necessary. 

Example 11. Let ^ be a prime, let n = f'', and let W = V. Then one easily checks that the action 
of 

T = {AG GL2{Z/£'^^Z) : A mod £^ is diagonal} 
on {Z/f'Zf is abelian. Then 

|r| = \{z/i^z)*\ ■ \M2{'L/i^z)\ = f'^ii - r^), 
|GL(Z/£2*^Z)| = £^^(1 - r^)(i - r^), 
i{T)=i^''{i-r^). 



Since \ W\ = , this yields 



log|PF| 4 

iog/(r) fc^oo' 3' 



Proof of Proposition O By the standard structure theorem on modules over PIDs |La.nn2[ Theo- 
rem VI. 2. 7] we can find a basis for V so that 

Z Z , miZ m2Z , , , 

V = — X — and W = x with mi\m2\n. 

riL nZ nZ nZ 

We begin by doing the case that n = is a power of a prime, so 

Z Z £*Z P-^^Z 
V = - — X - — and W = - — x — with i,i ^0 and i + j ^ e. 

This allows us to identify T with a subgroup of GL2(Z/^^Z). Further, the condition that TW = W 
implies that every matrix ( " ^ ) G F satisfies c = (mod P ) . In terms of the classical modular 
groups, the condition TW = W is equivalent to the requirement 

F C Image(Fo(F) — > Gl.2{Z/tZ)). (4) 

It may happen that ((IJ is true for a larger value of j, so we define 

J = min|e, max {ord^(c) : ( " ^) £ r}| 

In other words, J is the largest integer less than or equal to e such that every matrix in F is 
congruent to (q * ) modulo . 

In particular, we can find a matrix 

^= (a d) withc^O (mod^). 

(Notice that if J = e, we can simply take c = 1.) We fix the matrix A and consider another 
matrix B gT. The definition of J tells us that B has the form 



B 



a (5 



If we were working over a field, we might hope that the condition Ai^lpv' = BA\w implies that B 
has the form xl + yA for some scalars x and y. This is not quite true in our case, but we will now 
prove the validity of a similar statement up to a carefully chosen power of i. 
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(mod r). (5) 



We consider first the case that 

e> i + J 

and apply the assumption that A and B commute in their action on W. Note that this is not 
the same as saying that AB = BA in GL2(Z/£'^Z). We obtain the correct statement by requiring 
that BA - AB kills a basis of W. Thus 

{BA-AB){^^ A)"(o o) 

Multiplying this out and doing some algebra yields 

£^+^(c/3 - 67) f {h[a -5) -{a- d)l3) 

f +-^((a - d)7 - c(a - 5)) +J+^(c/3 - 67) 

= 

We use the congruences in the matrix equation Q to compute 

Using the fact that l\ c, we have shown that every B & T satisfies 

B = xI + yA (mod t''--^) for some x, y G Z/r'^-'^Z, 
i.e., every i? G F has the form 

'x,y G Z/^-^-^-^^Z and 



B = xl + yA + e-'--^ Z with 



Z G M2(Z/f+-^Z). 



Of course, the group T will not contain all of these matrices (e.g., we cannot have i\x and but 
in any case we obtain an upper bound 

|r| ^ (# of (X,y)) • (# of Z) = £2(e-i-J) . ^4(i+J) ^ ^2e+2i+2J_ 

The order of GL2(Z/£^Z) is well known, so we obtain a lower bound for the index 

^ |GL2(Z/rZ)| ^4e(i_^-l)(i_^-2) 
|p| ^ £2e+2i+2J 

= £2^-2^-2-^(1 -r^)2(l+r^). (6) 

This estimate is helpful provided that J is not too large. However, in the case that J is large, we 
can instead use the fact that F is contained in the image of Tq{£'^) to estimate 



iri ^ 



so 



{ ( c d) e GL2(Z/rZ) : £^|c} | = (1 - r^f, 

I(T) > ^ - - L=iJlJLL_ (7) 



Multiplying @ by the square of (O yields 
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which proves that I(T)^ is larger than 

\W\ = ^2e-2i-i_ 

Next we consider the case that 

i + J^e. (8) 
The commutativity relation ^ then gives little information, but the fact that T is contained in 
the image of Toii-^) still gives the lower bound 0, which we use in the weaker form I{T) ^ £ . 
Combining this with the assumption (jHJ yields 

which is stronger than the desired result. This completes the proof of the proposition in the case 
that n is a power of a prime. 

Finally, suppose that n is arbitrary. Let 

Vi = V Zi = ^-primary part of V, 

and similarly let Wi = W ^TLg. Then 

y = and W = ^Wi 

l\n i\n 

by the Chinese remainder theorem. Further, we have 

Aut(y) = Aut(y^) and T = F^ with F^ = Image (f ^ Aut(y£)) . 

l\n e\n 

Applying the ^-primary case to this direct sum decomposition yields 

\w\ = ll\We\^llmf = i{rf, 

e\n e\n 

which completes the proof of Proposition El □ 



4. Multiples of points and abelian extensions 

Our eventual goal is to prove the independence of points that are defined over fields that are 
"sufficiently large, sufficiently disjoint, and sufficiently abelian." The content of the next theorem 
is to quantify the meaning of the word "sufficiently" in this statement. Its proof combines the 
elementary linear algebra result from Section |H1 with Serre's deep theorem on the image of Galois. 

Theorem 12. Let -F/Q be a number Held, let E/F be an elliptic curve that does not have complex 
multiplication, and let d ^ 1. There is an integer M = M{E/F,d) so that for any field k/F and 
any P G E{F) satisfying 

[k : F\ ^ d and k{P)/k is abelian, 
the following estimate is true: 

[k{P) : k] divides M[k{nP) : k] for aUn^l. 
Proof. Fix an integer n ^ 1. Writing 

[k{P) : k] = [k{P) : k{nP)] [k{nP) : k] , 
it suffices to find a bound of the form 

[k{P) : k{nP)] ^ C = C{E/F,d), 
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since then we can take M to equal the least common multiple of the integers less then C. 
Consider the following set of points in E, 

S{P,n) = {P^" - : a £Gs\{k{P)/k{nP)), r G Gal(A;(P)/A;) }. (9) 

Clearly S{P,n) C E{k{P)), since k{P)/k is Galois. 

Claim 1. n) C E[n\ n E{k{P)) . 

We have nP G E{k{nP)^, and also k{nP)/k is Galois since k{P)/k is abelian, from which it follows 
that every Gal (/c(nP) /A;) -conjugate of nP is defined over k{nP). Hence for all r G Gal(A;(P)/A;) 
and ah a G Gal(A;(P)/A;(nP)) , 

which shows that S{P,n) is contained in E[n]. The inclusion of S{P,n) in E{k{P)^ follows from 
the assumption that k{P)/k is Galois, so every F /k conjugate of P is in E{k{P)^. 

Claim 2. S{P,n) is Ga\.{k{P) / k^ -invariant. 

Let r,A G Gal(A;(P)/A;) and a G Gal{k{P) / k{nP)) . Then tA G Gal(A;(P)/A;) , and also A^VA G 
Gal(/i;(P)/A;(nP)) , since k{nP)/k is Galois (in fact, abelian). Hence 

SO A maps S{P, n) to itself. 

Claim 3. \S{P,n)\ ^ [^(P) : k{nP)]. 

The set S{P,n) contains in particular all points of the form P*^ — P with a G Gal(A;(P)/A;(nP)) 
(i.e., take r = 1), and these points are distinct. Hence 

\S{P,n)\ ^ \Gal{k{P)/k{nP))\ = [k{P) : A;(nP)] . 

We set the following notation, where note that Claim 2 tells us that W is contained in V: 

V = E[n] ^ {Z/nZf, 
Aut{V) = Aut(£;[n]) ^ GL2(Z/nZ), 
W = (Z-span of S{P, n)) C V, 
r{k) = Image (Gal(P/A:) ^ Aut(y)). 

Then we are in the following situation: 

— y is a free Z/nZ-module of rank 2. 

— T{k) is a subgroup of Aut(y). 

— ly is a r(A;)-invariant submodule of V (from Claim 2). 

— The action of r(A;) on W is abelian (since W C E{k{P)) from Claim 1 and k{P)/k is abelian). 

These four conditions are exactly the assumptions needed to apply Proposition which yields the 
estimate 

|Ty| ^ Index(r(fc))^ (10) 

The group r(A;) is the image of Gal(-F/A;) in Aut(y), but we would like to replace it by the 
possibly larger group 

r(P) = Image (^Gal(P/P) ^ Aut(y)). 
9 
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Clearly r(A;) CT{F), so 



Index(r(A;)) = {Aut{V) 
= (Aut(y) 



^ (Aut(y) 
^ (Aut(y) 



m) 

TiF)) . (r(F) : m) 
T{F)) ■ |Gal(A;/F)| 
r(F)) • d since [k : F] d, 
= d-Index(r(F)). (11) 

Combining H10|) and ()11() yields 

< •Index(^(F))^ (12) 

We now apply Serre's deep and fundamental theorem on the image of Galois. 

Theorem 13. (Serre |Ser72l I5er98| ) Let E/F he an elliptic curve defined over a number field. For 
any prime i, let 

Pe:Gal{F/F)^Ant{Te{E)) 

be the i-adic representation attached to E/F. Assume that E does not have complex multiplica- 
tion. 

(a) The image of p£ is of finite index in Aut(T£{E)^ for all I. 

(b) The image of p£ equals Aut(T^(-E')) for all but hnitely many i. 

Serre's theorem is easily seen to be equivalent to the statement that there exists a constant 
Ci{E/F) > such that 

i^Ci{E/F) for all AT ^1. 





Aut{E[N]) 




Image 


'Gal(F/F) ^ Aut{E[N])^ 



The crucial point here is that the constant Ci{E/F) is independent of N, so the index is bounded 
by a constant depending only on E/F. (Note that this is where we are using the assumption that E 
does not have complex multiplication.) Applying Serre's estimate with N = n yields 

Index(r(F)) ^ Ci{E/F). (13) 

We combine the inequalities H12|) and (|13() with Claim 3 to obtain the estimate 

[k{P) : k{nP)\ ^ \S{P,n)\ ^ \W\ ^ • Index (r(F))^ ^ d^ ■ Ci{E/Ff. 

This this completes the proof of Theorem 1121 □ 



5. A direct sum decomposition via an idempotent relation 

Various versions of the results in this section are well-known, see for example |Cor91j or |Wal79l 
Theorem 6.3]. For the convenience of the reader we include proofs of the specific statements that 
we require. 

Let G be a finite group. For each subgroup H C G, the associated idempotent en in the group 
ring of G is the element 

One easily verifies that e'j^ = en- 

Lemma 14. Let p be a prime, let G = F^, let N = (p''^^ - l)/(jp - I), and let Gi, G2, . . . , Gn be 
the subgroups of G of index p. 
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N r _ 

(a) = + e, where e G G is the identity element. 

i=i ^ ~ 

(b) cg, •eG^=eG foialli^j. 

Proof. Let G = Hom(G,Fp) be the dual group to G and let G* denote the nonzero elements of G. 
Then the kernel of each G* \s an index p subgroup of G, and x x' give the same subgroup 
if and only if x' = c-x for some c G F*. In other words, the index p subgroups of G are in one-to-one 

of G, i.e., G* = {(T G G : o" 7^ e}, and compute 

N 



correspondence with the points of G*/F* = P'' ^(Fp). We also let G* denote the nonzero elements 



p 

1 



^^|{xGG*:x(cT)=0}|a 

1_ j|G'*|e+ Y,\{x^G*:x{T) = ^]\'y] 

^ (if - l)e + (/-^ - 1) E ^ ) 

i)e + (/-I - 1) ^ a ] 

aeG / 



p — 1 



p — 1 
This proves (a). 

Next let i 7^ j be distinct indices. Let x ^ be elements of G* corresponding to Gj and Gj, 
respectively. Then 

p^'-^Gr ^G, = Yl Y.''^= Yl E^^=E E p = Yp E 1- 

o-eGi reGj o-eG rsG o-eG peG peG o-eG 

x((t)=0 A(r)=0 xW=OA(a-V)=0 xW=0 

A(<7)=A(p) 

The fact that x ^ s-i's distinct nonzero homomorphisms, i.e., distinct nonzero linear maps, 
from Fp to ¥p means that the pair of equations 

x(o') = ci and A(cj) = C2 

has exactly p*""^ solutions for any given ci,C2 G Fp. (This is simply the number of points on the 
intersection of two transversal hyperplanes in A''(Fp).) Hence 

2r-2 r-2 2r-2 

P (-Gi-(-Gj=P Z^P=P ec. 
peG 

Dividing by gives (b). □ 

Lemma 15. Let p, G, N, and Gi, . . . ,Gn be as in the statement of Lemma \T^ Let M be a finite G- 
module whose order is prime to p, so in particular the group ring Z[p~^][G] acts on M. 

11 



Michael Rosen and Joseph H. Silverman 



(a) euM = , i.e., erM is the subgroup of M fixed by H. 

(b) The "norm map" 

N N ^ 

M norm ^ ep^M ^ ^ M^' 



MG g M ^ MG (14) 

i=l i=l 

m I — > {eG^m,...,eGj^m) 
is an isomorphism. Its inverse is the summation map 

(mi, . . . ,mAr) I — > mi H h mN- 

Proof. First let e//m E e//M and let t £ H. Then 

Tenm = rum = cim = e/^m, 

so e//m E M^. Conversely, if m E , then 

e^m = -— - am = -—- m = m, 
\H\ ^ \ff\ ^ 

so m = e//m E e//M. This proves that e//M = M^, which completes the proof of (a). 
Let $ be the map 

-r , , norm /T\ ^G, -''^ / \ 

$:M (e^^m,...,eG^m). 

It is clear that e^M is contained in the kernel of ^. Conversely, let m E ker(<I>). This means that 
there are mi £ M satisfying ^gJ^ = ^Gf^i- Summing over i and using Lemma lTlT a) yields 

N N / ^ - 1 \ 

Thus 

- 1 



m 



P - ^=l 



which gives the other inclusion. Hence ker($) = egM. 

Next we show that <^ is surjective. Let mi, . . . ,mM E M. We need to prove that the point 

(ecimi, . . .,eG,^mM) 

is in the image of Let m = ^ eGifrii. Then for each j we use Lemma I14r b) to compute 

N 

^Gj'm = ^ eCj^Gifni = eG^ruj + ^ ecrrii = eG^rnj (mod ecM). 

This proves that 

$ (ecimi H h eGj^miy) = (eG^mi,. . . , eGj^miy) (mod ecM), 

completes the proof that $ induces an isomorphism (|14p and that the inverse isomorphism is the 
summation map. □ 

6. An elementary Galois theory estimate 

In this section we prove a basic estimate on the degree of successive composita of Galois extensions, 
cf. |Lann21 Corollary VI. 1.15]. 

12 
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Proposition 16. Let Ki,K2,. ■ ■ ,Kr be Galois extensions of a Held k, and for each 2 ^ i ^ r, let 

K[ = K,r\{Ki---K,.i). 

Then 

r r 

Yl[K,:k] = [Ki---Kr:k]ll[K'i:k]. (15) 

i=l i=2 

Proof. Let Ei/k and E2/k be any two Galois extensions of k. We claim that 

[E1E2 : k] ■ [El nE2:k] = [Ei : k] ■ [E2 : k]. (16) 

If El n E2 = k, then |Lan021 Theorem VI. 1.14] implies that H16|) is true. The general case of H16() 
can be reduced to this follows: 

[E1E2 : k] = [E1E2 : El n E2] ■ [Ei n E2 : k] 

= [El : El n E2] ■ [E2 : Ei n E2] ■ [Ei n E2 : k] 
^ [El : k] • [E2 : k] 
[El nE2:k] 

We prove (jlSj) by induction on r. If r = 1, then both sides are equal to [Ki : k]. Assume 
now that ()15() is true for r. We use ()16() with Ei = K^+i and E2 = Ki ■ ■ ■ K^. and note that 
Eir\E2 = K'^j^^ to obtain 

Multiplying (|15jl by this quantity gives (|15|) with r + 1 in place of r, which completes the induction. 

□ 

7. Ideal class groups in multiquadratic fields 

For this section we fix the following notation. 

k/Q a Galois extension with group Gal(A;/Q) = (Z/2Z)^ 

K the Hilbert class field of k. 

N = - 1. 

ki, . . . ,kiy the distinct quadratic subfields of k. 

Ki, . . . , Kjy the Hilbert class fields oi ki, . . . ,k]y, respectively. 

Further, for any finite abelian group G, we let G"'^'^ denote the largest subgroup of G of odd order, 
and similarly h°'^'^ denotes the odd part of the integer h. 

Proposition 17. With notation as set above, the natural restriction map 

N 

Gal{K/kf'^'^ -^YlGal{Ki/ki)°'^'^ 
1=1 

is an isomorphism. 

Proof. Let be the ideal class group of k, and similarly for each i, let Hk^ denote the ideal class 
group of ki. Standard properties of the Artin map |Lan94l X §1, A2 & A4] give a commutative 
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diagram 



TT TT Norm 



Artin 



Artin 



Artin 



Gsl{K/k) > Gal{kK,/k) Gal{Ki/ki) 

Combining these maps for i = 1, 2, . . . , r and taking the odd parts of each of the groups gives us a 
commutative diagram 

N 

rodd Norm TT- „odd 



^odd Norm^ TT- ^od. 

i=l 

Artinj; (17) 

V 

Gal(i^/A;)°dd YlGsl{K,/k,^°'^'^ 



Artin 



i=l 



The Galois group Gal(/c/Q) = (Z/2Z)'' acts on H^'^'^, the odd part of ideal class group of k. Also 
note that the subgroups of Gal(A;/Q) of index 2 are exactly the groups Gal(A;/fcj) for 1 ^ i ^ N . This 
is exactly the situation needed to apply Lemma IT^T b). which tells us that there is an isomorphism 

rrodd ^ ( TTodd\Gal(k/kA 

-"fc Norm ^ /TN l-"fc ) /, o\ 

|-j:^odd-)Gal(fc/Q) ^ \U (^^odd^Gal(fc/Q) ' ^ ^ 

(The norm maps N^/^, : ^G&\{k/ki) ^ppgg^j-jj^g (ji8|) are actually the 2^~^-power of the 

"norm maps" in Lemma ITCT b). However, raising to the 2^~^ power is an automorphism of H^'^'^, 
so it is still valid to conclude that (fTH|) is an isomorphism.) 

Li order to complete the proof of the proposition, we use the following elementary lemma. 

Lemma 18. Set the following quantities. 

k/F a Galois extension of number fields of degree n. 
H'l^ = Hk ® Z[l/n], tiie prime-to-n part of the class group of k. 
Hp = Hp ® Z[l/n], the prime-to-n part of the class group of F. 

Then the natural map Hp induces an isomorphism 

H'p ^ (i7^)Gal(fc/i^). 

Proof. Consider the compositions 
and 

(^/)Gal(fc/F) "^H'p^ iH',f^'^'/^\ 

Both compositions have the effect of raising to the n*^ power. Hence they are both isomorphisms, 
since Hp and H'j^ have order prime to n. Therefore each of the individual arrows is also an isomor- 
phism. □ 

We now resume the proof of Proposition 1171 We apply Lemma ^1 with F = ki and F = Q to 
obtain 

(^odd)Gal(fe/fc.) ^ ^odd ^^^^ (^odd)Gal(fe/Q) ^ ^odd ^ ^_ 
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K 




Q 



Figure 1: A tower of fields used in the proof of Proposition 1191 Various extensions of 2-power 
degree are indicated. The proposition proves that the extension marked with a ? is also a 2-power 
extension. 



Substituting these values into the isomorphism ((TH|) yields 

N 

~ i=l 

Thus the top horizontal arrow in the commutative diagram H17() is an isomorphism, and the vertical 
arrows are Artin isomorphisms, hence the bottom arrow is also an isomorphism. This completes the 
proof of Proposition 1171 □ 



We now show that up to extensions of 2-power degree, the Hilbert class fields of distinct quadratic 
fields are maximally disjoint. 

Proposition 19. With the notation set at the beginning of this section, for every 2 ^ i ^ r the 
degree 



KiDkiYlKj : ki 

j<i 



is a power of 2. 



Proof. The diagram given in Figure ^ should assist in keeping track of the various fields under 
consideration. 
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We look first at the maps 

N 

Gal{K/k) Gal{Ki ■ ■■KN/k) ^ J| Gal(i^,/A;i). (19) 

i=l 

Proposition El tells us that if we restrict to the odd parts of these groups, then the composition H19|) 
is an isomorphism. Since the first map is surjective and the second map is injective, we conclude 
that 

N 

[K : kf"" = [Ki---Kn: k]"'''' = l[[K, : hr"''. (20) 

j=i 

Next we apply Proposition to the base field k, the Galois extensions kKi, . . . ,kKi^ of k, 
and their compositum L = Ki ■ ■ ■ K^. (Note that k is already contained in K\ ■ ■ ■ K^. For each 
2 ^ i ^ N we obtain the formula 

N N 

HikKi :k] = [Ki---KN:k]ll [kK^ n {kK^ • • • K,_i) : k] (21) 

i=l 1=2 

Every extension k/ki has degree a power of 2, so taking the odd part of (PT|) and replacing k by ki 
as appropriate yields 

N N 

W[Ki : hf" = [Ki---Kn: k^"^ [] [K, n {hK, ■ ■ ■ K,_i) : k,] "^"^ (22) 

i=l 1=2 

Comparing H2U|) and (|22() gives the formula 

N 

\{[Kir\{hKi---Ki^i):h]°''^ = 1, 

i=2 

and hence every factor in the product must equal 1. □ 

8. The independence of Heegner points 

In this section we combine all of the previous material in order to prove our principal result (The- 
orem^, which we restate here in a more precise form. 

Theorem 20. Let i?/Q he an elliptic curve of conductor N and let 

: Xo{N) E 

he a modular parametrization of E. There is a constant C = C{E, ^e) so that the following is true. 
Suppose that the following are given: 

ki, . . . ,kr distinct quadratic imaginary fields satisfying the Heegner condition for N. 
hi, . . . ,hr the class numbers of ki, . . . ,kr. 
yi,...,yr points yi £ CM^^) {Ok^ ) . 
Pi, . . . , Pr the associated Heegner points, Pi = ^E{yi)- 
Assume further that the class numhers satisfy 

hf"^ for aiJ 1 < i < r. (23) 

Then 

Pi, . . . ,Pr are independent in E{Q)/ Etors- 
16 
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Proof. We will assume that Pi,. . . ,Pr are dependent and deduce an upper bound for min{/i°'^'^} 
that depends only on E and ^e- Thus we assume that there is a relation 

niPi H h UrPr = with m £Z not all 0. (24) 

Relabeling the points if necessary, we may assume that ^ 0. In order to complete the proof, it 
then suffices to find a bound for h°'^'^ 

We first apply Theorem 1121 fwith d = 2) to deduce that 

[kr{Pr) : kr] divides M[fc^(n^P) : kr], (25) 

where the constant M = M{E/F, 2) is independent of Pr and rir- 

Next we let = /ci • • • kr. Then Gal(A;/Q) = (Z/2Z)* for some t ^ r. We set N = 2*"^ - 1 and 
extend the list of fej to be the complete list fci, . . . , /cat of quadratic fields contained in k. Continuing 
with the notation from Section [71 we set 

K = Hilbert class field of k, 
Ki = Hilbert class field of ki for 1 ^ i ^ N . 

Each point Pi € E{Ki), so the assumed linear dependence ()24() tells us that 

rPr = -Y,niPiGE(TlK 



i<r i<r 

Thus 



kr{nPr) C KrD kr Ki, 

from which we conclude that [/c,.(n,.P) : kr] divides 

KrHkrYlKi : kr = KrHkrYlKi : k ■ [k : kr]. (26) 

Proposition tells us that the first factor on the righthand side of H26j) is a power of 2, and the 
second factor is clearly a factor of 2. This proves that 

[^kr{nrP) : kr] is a power of 2. 

Then ^ tells us that [kr{Pr) : kr] divides M°'^'^, so it is bounded by a constant depending 
only of E. 

Finally, we use Proposition [7| and the fact that Pr is a Heegner point to deduce that 
[Kr : kr]"'"'' ^ {deg^E)[kr{Pr) : kr]"""^ ^ {deg ^ e) M^^" . 

The quantity [Kr : A;,-]"'^'^ is the odd part of the class number of kr, so this contradicts ()23() . 
Hence Pi, . . . , Pr are independent. □ 



9. Deuring lifts, Heegner points, and the ECDLP 

In this section we briefiy sketch an initially plausible approach to solving the elliptic curve discrete 
logarithm problem using Heegner points and explain why Theorem 1201 makes it unlikely that this 
approach will yield anything better than an algorithm with 0{^yp) running time. We refer the reader 
to |RSj for further details. 

Definition. An Elliptic Curve Discrete Logarithm Problem (ECDLP) over Fp starts with a known 
elliptic curve E/¥p and two points S,T €z E(¥p) and asks for the (smallest positive) integer m such 
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that 

S = niT. 

(We use a bar to denote quantities defined over Fp or to denote the reduction of a quantity modulo p.) 
It may be assumed that one knows 

He = #E{¥p). 

Suppose that it is possible to lift E to an elliptic curve E/Qoi small conductor and to find, in 
some reasonably explicit fashion, a modular parametrization '■ ^o(-^) ~^ E. (If £' is a "random" 
elliptic curve over Fp, it is unlikely that this is possible; but for reasons of efficiency in cryptographic 
applications, it is not uncommon to take E to have very small coefficients.) 

A standard approach to solving the ECDLP is to choose many random pairs of number (oj, bi) 
modulo and try to find a nontrivial relation amoung the points Pi = aiS — biT. If ^ CjPj = is 
such a relation, then there is a good chance that the resulting relation 

between S and T can be inverted to express 5 as a multiple of T. We thus look for a way of 
generating relations among a given list Pi,P2, ■ ■ ■ of points in E{¥p) 

The map '■ ^o{N) E has small degree, so there is a reasonable chance that a randomly 
chosen point in E(¥p) will lift to an Fp-rational point on Xq{N). (The exact probability, which 
we do not need, can be computed using the function field version of the Tchebotarev density 
theorem.) Hence taking a subsequence, we may assume that every point Pi G E{¥p) lifts via <I>e to 
a point Vi G Xo{N){¥p). 

In general, a point y G Xo(A^)(Fp) corresponds to a triple {A, A' , cp) consisting of a pair of elliptic 
curves A/¥p and A' /¥p and an isogeny 

^■.A — >A' 

defined over Fp with kernel ker((/)) = Z/NZ. Since A and A' are Fp-isogenous, they have the same 
number of points, so we set the notation 

Uy = #i(Fp) = #A'{¥p) and ay = p + 1 - Uy. 

(Note that these quantities can be computed in polynomial time by the SEA variant of Schoof's 
algorithm |Sch85| ISch95j .) Then the endomorphism rings of A and A' have discriminant 

A(y) = 4 - Ap. 

Note that A(y) < by Basse's theorem |Sil86| Theorem V.1.1]. 

We perform this computation for each of the points yi,y2, ■ ■ ■■ Taking a subsequence, we may 
assume that every integer A(yj) is a fundamental discriminant. (A negative integer Z) is a funda- 
mental discriminant if either it is odd, squarefree, and D = 1 (mod 4) or if it is divisible by 4 
with D/4: squarefree and D/A = 2 or 3 (mod 4).) This ensures that 

End(^j) = End(74^) = Ofc- is the full ring of integers 

in the quadratic imaginary field ki = Q(yA(^ ). 

In other words, both Ai and A'^ have CM by the full ring of integers of fcj. (We also discard yi in 
the unlikely event that Ai is super singular, i.e., if a^. = 0.) 

Remark 21. In practice, we would like the fields ki,k2, ■ ■ ■ to be "not too independent," in the sense 
that we would like the compositum kik2 - ■ ■ to stop growing as we take more and more points. This 
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can be accomplished by keeping only those yi whose associated discriminant is S-smooth for an 
appropriately chosen value of B. For example, taking B = 0(e^^°^^'°s ^°sp'j ^s usual, suppose that 
the discriminants are reasonably randomly distributed (a theorem of Birch |Bir68j says that they 
follow a Sato- Tate distribution). Then we can collect 0{MB) points yi and fields ki in time 0{MB), 
while the compositum kik2ks ■ ■ ■ is always contained in the field Q(\/£ : £ ^ 0{B)^, independent 
of M 

We next use a variant of Deuring's lifting theorem |Deu41j to lift A and A' to CM elliptic curves 
defined over the Hilbert class field Ki of ki with the property that 

End(^i) = End(yli) and End{A'^ = End(^i). 

This can be done so that the cyclic A^-isogeny (p : A ^ A' lifts to a cylic A^-isogeny (p : A ^ A' . 
(For modern expositions of Deuring's theorem, see |Lan87[ 13 §5, Theorem 14] or |( )or73j ) . The 
triple {Ai,A[,(l)) then corresponds to a point y.j G XQ{N){Ki) that lifts yi. 

Pushing these points forward, we obtain Heegner points 

Pi = ^EiVi) e E{Ki) satisfying Pi mod p = Pi. 

(More precisely, there is a degree 1 prime ideal pi in Ki so that Pi mod pi equals Pi.) 

Our goal is to generate a list Pi, . . . ,Pr of points that are dependent and to find an equation of 
dependency. There are at least two plausible methods to check whether Pi, . . . ,Pr are dependent, 
despite the fact that we generally cannot write down explicitly any reasonable representation of their 
fields of definition Ki, . . . , K^. (Note that [Ki : ki] = h^. ~ Y^DiscAJj|.) First, we can try to use the 
modular interpretation of the points yi to compute the canonical height pairing {yi,yj) in terms of 
other, more easily computable, quantities. The algebraic and analytic formulas developed by Gross, 
Kohnen and Zagier [(irKZHTj might be useful for this approach. Second, we can use the standard 
proof of the weak Mordell-Weil theorem to map a putative linear relation from E{Ki ■ ■ ■ Kr) into 
the Selmer group and attempt to derive information about the coefficients of the relation. Note 
that there is never any trouble checking if a potential relation is correct, since it is easy to verify 
if ^ CiPi is zero, and if it is, then we do not actually care if the relation lifts. 

Thus if the Deuring-Heegner lifts of the points Pi,P2, . . . £ E{¥p) had a reasonable probability of 
being dependent, then the algorithm outlined above might yield a theoretical (and conceivably even 
a practical) algorithm to solve the ECDLP on curves with small coefficients. However, Theorem 1201 
provides fairly convincing evidence that this approach will not work, and indeed our initial motiva- 
tion in attempting to prove a theorem such as Theorem I2fll was our desire to assess the effectiveness 
of Deuring-Heegner lifts for solving the ECDLP 

10. Remarks on the 2-part of the ideal class group 

Let 

'D{X) = {fundamental discriminants —D with 1 ^ D ^ X}, 

and for each —D G P(X), let denote the class number of the quadratic imaginary field Q{\/—D ). 
In view of Theorem I2UI it would be of considerable interest to have some knowledge of the growth 
rate of the counting function 

N{C; X) = #{-D£ V{X) : h°^'^ ^ C). 

Genus theory says that /i/j is divisible by 2'^^^\ where y{D) is the number of odd primes 
dividing D. More precisely, genus theory tells us that the 2-rank of the class group is (essentially) 
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Table 1: Counting quadratic imaginary fields whose class number has small odd part and whose 
discriminant —D satisfies 500,000 ^ D ^ 1,000,000 (computations performed with PARI-GP). 



# of D 


h"""! ^ 1 


^ 3 


h""!" !j 5 


^ 7 


h""'' ^ 9 




134 


312 


479 


617 


770 


11110 




589 


901 


1183 


1486 


16665 


407 


899 


1381 


1793 


2273 


oooon 














667 


1511 


2281 


2954 


3730 




775 


1789 


2699 


3497 


4427 


ooooo 


893 


2062 


3114 


4052 


5154 




1037 


2358 


3544 


4599 


5847 


49995 


1163 


2641 


3970 


5140 


6532 


55550 












61105 


1395 


3190 


4786 


6219 


7902 


DDDDU 












72215 


1622 


3745 


5612 


7302 


9260 


77770 


1735 


3995 


6003 


7816 


9922 


83325 


1862 


4272 


6406 


8343 


10594 


88880 


1983 


4557 


6820 


8887 


11278 


94435 


2093 


4799 


7173 


9361 


11891 


99990 


2208 


5073 


7566 


9867 


12560 


105545 


2310 


5295 


7938 


10344 


13170 


111100 


2427 


5556 


8348 


10875 


13813 


116655 


2533 


5789 


8714 


11347 


14419 


122210 


2652 


6039 


9085 


11831 


15060 


127765 


2748 


6297 


9465 


12337 


15697 


133320 


2847 


6541 


9819 


12799 


16298 


138875 


2946 


6789 


10184 


13284 


16938 


144430 


3049 


7012 


10545 


13753 


17529 


149985 


3142 


7235 


10880 


14211 


18127 


Linear 


99.926% 


99.932% 


99.943% 


99.949% 


99.955% 


correlation 













equal to ^{0). Since the n*'^ prime is 0(n log n), this immediately implies that 

(2-rank of ffg) « ^ f . 

log log D 

so the 2-part of /i/j coming from the rank is negligible compared to D. However, little seems to be 
known about the expected growth of the 2-exponent of see for example |BK721 lEar89l IWal79j . 
If we look at all integers, then it is easy to see that 

C + 1 



#{n ^ : n°^'^ ^ C] 



log2(A^) + 0(1) asiV^oo. 



The Brauer-Siegel theorem |Lan94l Chapter XVI, Theorem 4] says that the magnitude oi hi) is 
approximately VD, so : D S contains 0{X) integers roughly less than ^/X. This leads 

to the following question, which we do not honor with the name of "conjecture" because there seems 
to be little evidence either for or against it. 

Question 22. Fix a constant C. Is it true that 

#{-De V{X) : h'j^'^ ^ C} X Vxiog{X) as X ^ oo, 
where the imphed constants depend on C? 

The numerical evidence is far from compelling. Indeed, the data in Table ^ seems to suggest 
that N{C; X) ~ for some nc > 0, but it seems unlikely that this is true, and indeed the value 
of Kc shows a slow, but steady, decrease as we eliminate the smaller data from the top of the table. 
However, the data also does not suggest that N{C; X) <ti X^^^ for any particular 6 > 0. 
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